Retrieve True Bytes of a Function

c++ / delphi package - dll injection and api hooking

Retrieve True Bytes of a Function

Postby pambol » Mon Jul 09, 2018 11:49 pm

How you can return/get the real bytes of a function if since someone can hook these apis?
For example if they hook OpenProcess using inline hook, how you can get the real bytes to write on OpenProcess address and use it without problems.
pambol
 
Posts: 15
Joined: Sat Jun 23, 2018 1:15 am

Re: Retrieve True Bytes of a Function

Postby madshi » Tue Jul 10, 2018 9:32 am

You can use madCodeHook's RestoreCode() API which will unpatch an API and replace it with the original bytes from the file on harddisk. RestoreCode() will only restore the first 6 bytes of the API, though.

Doing this is not as easy as it might sound because you can't just fetch the bytes from the file on harddisk untouched. You also may have to apply relocation adjustments. Of course RestoreCode() does all that properly.
madshi
Site Admin
 
Posts: 9719
Joined: Sun Mar 21, 2004 5:25 pm

Re: Retrieve True Bytes of a Function

Postby pambol » Tue Jul 10, 2018 5:05 pm

that's sounds great, and madcodehook have some way to detect it?
i'm checking if the first byte of function are some of these bytes:

case 0x68:
case 0xC2:
case 0xC3:
case 0xE8:
case 0xE9:
case 0xFF:

if are i restore.
pambol
 
Posts: 15
Joined: Sat Jun 23, 2018 1:15 am

Re: Retrieve True Bytes of a Function

Postby madshi » Tue Jul 10, 2018 5:26 pm

Why don't you simply let madCodeHook do the job, by calling RestoreCode(), instead of trying to do it yourself?
madshi
Site Admin
 
Posts: 9719
Joined: Sun Mar 21, 2004 5:25 pm

Re: Retrieve True Bytes of a Function

Postby pambol » Tue Jul 10, 2018 5:32 pm

i think it's good check if the function are patched or not before call it, or madcodehook already do it?
other question, it's possible run RestoreCode on external application?
pambol
 
Posts: 15
Joined: Sat Jun 23, 2018 1:15 am

Re: Retrieve True Bytes of a Function

Postby madshi » Tue Jul 10, 2018 5:35 pm

Yes, madCodeHook only restores the code if it was changed.

Why would you need to do this on an external application?
madshi
Site Admin
 
Posts: 9719
Joined: Sun Mar 21, 2004 5:25 pm

Re: Retrieve True Bytes of a Function

Postby pambol » Tue Jul 10, 2018 9:37 pm

because some application hooks LdrLoadDll, so your inject function don't work.
for this reason need restore these bytes.
pambol
 
Posts: 15
Joined: Sat Jun 23, 2018 1:15 am

Re: Retrieve True Bytes of a Function

Postby madshi » Tue Jul 10, 2018 9:50 pm

Are we talking about injection into already running processes (done by the user mode part of madCodeHook)? Or do you mean the driver's injection into already running processes?
madshi
Site Admin
 
Posts: 9719
Joined: Sun Mar 21, 2004 5:25 pm

Re: Retrieve True Bytes of a Function

Postby pambol » Tue Jul 10, 2018 10:37 pm

About both.
Other question about RestoreHook, per example OpenProcess. From XP to W10 i don't need call restorecode to OpenProcess right? just need call restorecode to ZwOpenProcess?
isn't, need call the three, i tested hooking one per one and calling OpenProcess.

The question now is how restore these bytes on an external program to inject on him.
pambol
 
Posts: 15
Joined: Sat Jun 23, 2018 1:15 am

Re: Retrieve True Bytes of a Function

Postby iconic » Wed Jul 11, 2018 2:19 am

RestoreCode is only meant to function as an aggressive backup in case HookCode/HookApi fails *disclaimer should be present* due to another library already hooking the target function. Out-of-the-box RestoreCode can't be repurposed for what you require, which is doing the same thing out of process context, you MUST already be inside it for this API to work, meaning LdrLoadDll has already loaded your injected DLL. You've confused the purpose of the in-context API completely. If Madshi originally intended this to work for any process outside the current perhaps it would have this function prototype, which still wouldn't help if a LdrLoadDll hook is installed before your DLL is loaded in order to even call RestoreCode from within it! What you're asking isn't complex but this isn't the design nor sole reason madCodeHook was created

Code: Select all
function RestoreCode(const hProcess: THandle; lpCode: Pointer): BOOL; stdcall;


--Iconic
iconic
 
Posts: 833
Joined: Wed Jun 08, 2005 5:08 am

Re: Retrieve True Bytes of a Function

Postby madshi » Wed Jul 11, 2018 7:31 am

Of course you could call RestoreCode() in your own process and then copy the first 6 bytes to all other processes which have the same bitdepth (you should first check if ntdll.dll/kernel32.dll are loaded at the same address as in yours, of course), by using VirtualProtectEx + WriteProcessMemory. It seems a rather nasty thing to do, though, so please do this at your own risk. Also, it will only work to restore the API in the same bitdepth as your own process.
madshi
Site Admin
 
Posts: 9719
Joined: Sun Mar 21, 2004 5:25 pm

Re: Retrieve True Bytes of a Function

Postby pambol » Wed Jul 11, 2018 2:17 pm

iconic wrote:RestoreCode is only meant to function as an aggressive backup in case HookCode/HookApi fails *disclaimer should be present* due to another library already hooking the target function. Out-of-the-box RestoreCode can't be repurposed for what you require, which is doing the same thing out of process context, you MUST already be inside it for this API to work, meaning LdrLoadDll has already loaded your injected DLL. You've confused the purpose of the in-context API completely. If Madshi originally intended this to work for any process outside the current perhaps it would have this function prototype, which still wouldn't help if a LdrLoadDll hook is installed before your DLL is loaded in order to even call RestoreCode from within it! What you're asking isn't complex but this isn't the design nor sole reason madCodeHook was created

Code: Select all
function RestoreCode(const hProcess: THandle; lpCode: Pointer): BOOL; stdcall;


--Iconic


The only way to restore the bytes on others process who hooks LdrLoadDll is read from my own process and write on their address? Don't have other way?
pambol
 
Posts: 15
Joined: Sat Jun 23, 2018 1:15 am

Re: Retrieve True Bytes of a Function

Postby iconic » Thu Jul 12, 2018 9:45 pm

One way (my preference) is to call CreateFileMapping() with (SEC_IMAGE or PAGE_EXECUTE_READ) protection and map the module into your process. Compare target code (usually x bytes in the prologue) to whatever function RVA you've added to your mapping base, if they differ you can use x file mapping bytes to restore the target function to its original code form. You can calculate a function's RVA (Relative Virtual Address) by subtracting the target module's base address from the function's VA (Virtual Address) then simply add this value to whatever your file mapping base address is. I wouldn't run around intentionally unhooking code since it can in fact break programs. A legitimate use could potentially be an anti-rootkit that is capable of removing malicious hooks system-wide, for example.

--Iconic
iconic
 
Posts: 833
Joined: Wed Jun 08, 2005 5:08 am

Re: Retrieve True Bytes of a Function

Postby pambol » Sat Jul 14, 2018 11:37 pm

iconic wrote:One way (my preference) is to call CreateFileMapping() with (SEC_IMAGE or PAGE_EXECUTE_READ) protection and map the module into your process. Compare target code (usually x bytes in the prologue) to whatever function RVA you've added to your mapping base, if they differ you can use x file mapping bytes to restore the target function to its original code form. You can calculate a function's RVA (Relative Virtual Address) by subtracting the target module's base address from the function's VA (Virtual Address) then simply add this value to whatever your file mapping base address is. I wouldn't run around intentionally unhooking code since it can in fact break programs. A legitimate use could potentially be an anti-rootkit that is capable of removing malicious hooks system-wide, for example.

--Iconic


i mean restore function bytes on external processes, not on my. i need do it to injectlibrary from madcodehook work, if not he don't inject the dll.
pambol
 
Posts: 15
Joined: Sat Jun 23, 2018 1:15 am

Re: Retrieve True Bytes of a Function

Postby iconic » Sun Jul 15, 2018 5:08 pm

I've already explained how to do this in my previous post. As Madshi mentioned earlier as well, you can use WriteProcessMemory on the target process (you don't need a previous call to VirtualProtectEx because WriteProcessMemory already does this internally by protecting with PAGE_EXECUTE_READWRITE and will also even flush the icache after modifying the memory). Map the target module as executable in your process, adjust the RVA to the new mapped base in your process and then read in the original bytes. After this is done simply write these original bytes back to the target(s) in the other process(es). That's it


--Iconic
iconic
 
Posts: 833
Joined: Wed Jun 08, 2005 5:08 am

Next

Return to madCodeHook

Who is online

Users browsing this forum: Google [Bot] and 3 guests

cron